Hi,

I seem to be having a problem with port forwarding. When I specify port forwarding for www (port 8081 -> internal device port 80) everything works fine. When I reconfigure the management interface (http: port 8080, disabled, https: port 443, enable) and switch the port forwarding to the default port (port 80 -> internal device port 80), port forwarding no longer works (for the entry I specified – port 80). Any traffic destined for port 8080 gets redirected to 443 (https) and traffic to port 80 is refused. Is this something with my ISP or (ie: firewall rules) or is it a problem with my ruckus modem.

thanks,

-Mark

mr.haviland, with the 2211 in default state, while pointing your webbrowser to http://ip_address, you will be redirected automatically to https://ip_address, so the webserver on the 2211 automatically switches to secure http. By default there is no Port Forwarding rule for port 80 (http), so I believe your configuration is confusing the device. You connect to the 2211 remotely, it wants to switch to https, but the Port Forwding rule says it needs to use port 80 and that is not supported by the 2211 (it only supports https). Therefore I recommend deleting the port 80—port 80 rule and try again.

Ruckus Support

Thanks for the response. I think that I just need some clarification before I go back to my ISP and ask them why port forwarding does not work. Here is my current configuration:

http-port-number=’8080’
http_access_enab_disab=’f’
https-port-number=’443’
https_access_enab_disab=’e’

networks/port_fwd_rules/www/endport=’80’
networks/port_fwd_rules/www/ipaddress=’<my>‘
networks/port_fwd_rules/www/startport=’80’
networks/port_fwd_rules/www/targetport=’80’
networks/port_fwd_rules/www/type=’tcp’

In the above configuration, port forwarding to 80 does not work. But, if I change it to 8081, it does. I am assuming that it is not the ruckus that is causing this problem. Is that correct ?

Also, if from an internal system I make an http://ip_addr request (where ip_addr is my public IP given by my ISP), the ruckus should follow the port forwarding rule in place (assuming that 80 will work). Is this correct ?? Will that traffic go to the gateway before traversing back to the ruckus ?

Currently (when using port 80) I get a ‘connection refused’ response, but I cannot figure out if this is from the ruckus or the gateway at my ISP. Note, this does not happen with my ssh configuration (same principle as what I am trying to do with http traffic).

Couple more questions…Is there a command to display the current routing table information ? Is there an equilivant command to the unix ‘arp’ command ?

thanks much,

-Mark

I see from my post above the ‘<my>’ was stripped – what should have been there was ‘my private IP address—not the ruckus internal address’

-Mark

Mark, I’ve tested it both ways (see below) and it works fine for me either way:

Leave default http port on the 2211 at 80, state is disabled and add Port Forwarding rule port 8080 to port 80 towards an internal host: works
Change default http port on the 2111 to 8080, state is disabled and add Port Forwarding rule port 80 to port 80 towards an internal host: works

It sounds to me as if your Internet router (ADSL, cable modem, broadband router, etc) is blocking port 80. Have you checked that configuration?

Remember Port Forwarding is used to open up the firewall on the 2211 for certain incoming traffic. By default connections established “from the outside”, ie from the Internet side are blocked by the 2211, unless there is a Port Forwarding rule. Your question above about testing the Port Forwarding rule from within your private network is not valid as the connection is initiated from within your private network. If you want to test this setup locally, you need to buy/borrow a 3rd party AccessPoint, configure the Metro SSID on it and connect the 2211 to your 3rd party AP. Then initiate an HTTP session from behind the 3rd party AP through the 2211 to your internal host.

Commands to display the routing table or ARP table are only available to Ruckus personnel.

Ruckus Support

PS: Notice the Edit Post link in the grey column on the left? This allows you to correct typos and errors… :-)

Thanks for the reply.

The Ruckus is my modem to the Internet (ISP) and I connect that to another wireless gateway. I am able to verify via my wireless router that port forwarding is working on port 80. You have confirmed for me that my ISP is blocking the inbound traffic on port 80 – thanks! They allow port 443 inbound (which works – I reconfigured the admin port to listen on a different https port), but have screwed up on port 80.

The reason I was asking to display the routing tables is that I still am having problems getting outbound traffic (to my global IP) to make the trip back inside. I get a connection refused, but cannot figure out if that is coming from the ruckus or my ISP’s gateway. I am assuming that traffic that is destined to the IP I receive from my ISP will go to the gateway (as configured in my ruckus) before making the trip back. Can you confirm this for met ?

thanks much.

-Mark

Mark, I just found out that Port Forwarding rules are NOT applied when traffic is sent by a station on the private network. In your example, trying to access the public IP address of the 2211 from a station which is connected to your private network will not trigger the Port Forwarding rule. Only for traffic originated from a station on the Metro side, the 2211 will apply Port Forwarding rules.

BTW: the above traffic will make a U-turn inside the 2211 and will NOT be sent to the ISPs gateway. The traffic will not leave the box as it knows it is destined for an IP address which is in its routing table (ie Metro IP of the 2211).

Ruckus Support

Thanks again for the reply. I am a bit confused as to how I can test certain functionality within my private address space. Here is my situation. I have a vanity www site which is mapped to the IP address provided by my ISP. From outside of my private address space, I can see access the site, but internally I keep getting a connection refused. Is that what you mean by ‘will not leave the box’ ?

thanks,

-Mark

Mark, If you are trying to test external reachability by using an internal/private station, trying to reach your private server on the public IP address, then I am afraid that is not possible. As mentioned, Port Forwarding rules are not applied to traffic originated from your private network, which is the reason you keep getting a connection refused. The traffic is processed by the 2211, but it is not mapped to your internal server, because Port Forwarding rules are only applied to traffic originated from the Metro/Internet side of the 2211.

Ruckus Support

Can’t get there from here…

Do you know if there is a work-around for this (ie: setting static route…seems doubtful) ? Will this be fixed in a future release ?

thanks,

-Mark

Mark, routing is not the issue, port forwarding rules are not applied. I can put in a feature request, which will be evaluated by our PMs. No guarantees this will be implemented though, it all depends on the demand for this feature and the time it will take to implement it.

Ruckus Support

This posting was very helpful. I could not figure out why my port forwarding seemed to have no impact.

I was able to connect a laptop to an “outside” internet connection and then the port forwarding worked fine.

It would be really helpful to be about to test port forwarding from inside one’s own network. I’m not really sure how anyone is supposed to know if things are set up right unless, I suppose, you set the rules up remotely (from work, say) but then you don’t really have a good way to tweak a web server etc at the same time.

Thanx again. I was tearing my hair out.